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(54) System and method for providing an additional cryptography layer for postage meter refills 



(57) A system and method is provided for refilling a 
postage metering system (100) that includes a host 
(114) coupled to a postal security device (PSD) (112). A 
user enters a first request for postage refill which is 
transmitted to a meter server (120). The meter server 
(120) transmits a request for a PSD audit to the postage 
metering system (100). PSD audit data is signed with a 
first secret key stored in the PSD (112) to produce an 
audit message that includes a first signature and the 
PSD audit data. The audit message is transmitted to the 
meter server (120) which transmits the first signature to 
a key management system (130) which then verifies the 
first signature using a second secret key stored in the 
key management system (130). The PSD audit data is 
verified at the meter server (120) which then constructs 
a second request for meter refill and transmits it to a 
meter recharging data center (140). The meter recharg- 
ing data center (1 40) generates a refill combination and 
transmits it to the meter server (1 20). The refill combina- 
tion is transmitted from the meter server (1 20) to the key 
management system (130) for signature using the sec- 
ond secret key to produce a refill message that is trans- 
mitted to the meter server (120). The refill message 
includes a second signature and the refill combination. 
The refill message is transmitted to the PSD (112) 
which verifies the signature and the refill combination 
using the first secret key and credits the PSD (1 12) for 
the amount. 



FIG. 3 



130- 



KHS 




RHRS 


; PROCESSOR 




PROCESSOR i 



112^ 




PSO 




HOST 





Primed by Xerox (UK) Business Services 
2.16.3/34 



12/18/2002, EAST Version: 1.03.0002 



1 



EP 0 854 446 A2 



2 



Description 

The present invention relates generally to a system 
and method for remote resetting of postage meters and 
similar systems and, more particularly, to the security of s 
such remote resetting. 

The Information -Based Indicia Program (IBIP) is a 
distributed trusted system proposed by the United 
States Postal Service (USPS). The IBIP is expected to 
support new methods of applying postage in addition to, 10 
and eventually in lieu of, the current approach, which 
typically relies on a postage meter to mechanically print 
indicia on mailpieces. The IBIP requires printing large, 
high density, two dimensional (2-D) bar codes on mail- 
pieces. The Postal Service expects the IBIP to provide 15 
cost-effective assurance of postage payment for each 
mailpiece processed. 

The USPS has published draft specifications for the 
IBIP. The INFORMATION BASED INDICIA PROGRAM 
(IBIP) INDICIUM SPECIFICATION, dated June 13, 20 
1996, defines the proposed requirements for a new ind- 
icium that will be applied to mail being processed using 
the IBIP. The INFORMATION BASED INDICIA PRO- 
GRAM POSTAL SECURITY DEVICE SPECIFICATION, 
dated June 13, 1996, defines the proposed require- 25 
ments for a Postal Security Device (PSD) that will pro- 
vide security services to support the creation of a new 
"information based" postage postmark or indicium that 
will be applied to mail being processed using the IBIP. 
"me INFORMATION BASED INDICIA PROGRAM 30 
HOST SYSTEM SPECIFICATION, dated October 9, 
1 996, defines the proposed requirements for a host sys- 
tem element of the IBIP. The specifications are collec- 
tively referred to herein as the "IBIP Specifications". The 
IBIP includes interfacing user (customer), postal and 35 
vendor infrastructures which are the system elements of 
the program. 

The IBIP PSD Specification requires a signature of 
each request for an automatic remote refill, i.e., reset- 
ting or recharging, of postal value to a PSD. The Speci- 40 
fication also requires that certain data elements be 
included. 

Various schemes have been devised and imple- 
mented to obtain a desired remote recharging of a post- 
age meter based on information from a remote data 45 
processing center. Typical postage meter refill systems 
and methods do not include all of the required data ele- 
ments and do not include a signature of the request for 
refill. 

A system for the remote resetting of postage so 
meters is marketed by the assignee of the present appli- 
cation under the trademark "Postage By Phone" and is 
described in U.S. Patent No. 4,097,923. Briefly stated, 
the recharging process includes an operator obtaining 
an "access code" from the meter. This code represents ss 
an encryption of at least a "control sum" and meter 
serial number, where the control sum corresponds to 
the total amount of funds with which the meter has been 



charged to date. This access code is generated by the 
meter and may be read from the meter cfisplay upon 
operator request. The operator then communicates the 
access code, the amount by which the meter is to be 
recharged, an account number against which the 
recharge amount is to be debited, and the meter identi- 
fication number to a remote data processing center. At 
the data processing center the access code is validated 
and a "combination code" (also known as a "recharge 
code") is generated as a function of at least the amount 
by which the meter is to be recharged and the meter 
identification number. This recharge code is communi- 
cated to the operator who enters the amount together 
with the recharge code into the postage meter through 
its keyboard. The postage meter then validates the 
recharge code and increments a descending register of 
the meter by the amount requested. It is well known in 
the postage meter art that the descending register of a 
postage meter is decremented by the amount of post- 
age dispensed, and an ascending register is incre- 
mented by this same amount, each time the meter 
prints an indicium. The control sum is thus the sum of 
the contents of the descending and ascending registers. 
The meter is designed so that it will not print postage if 
sufficient funds are not available in the descending reg- 
ister. 

Variations to the Postage By Phone remote 
recharging system are described in various U.S. pat- 
ents. For example, in U.S. Patent No. 5,224,046, a sys- 
tem for obtaining recharge codes for one or more 
postage meters includes a conventional microcomputer 
that is connected through a modem to a remote data 
processing center. In U.S. Patent No. 5,233,531 the 
request for recharge of a postage meter is transmitted 
through a facsimile communication. 

The IBIP requirements would require a remote 
recharging infrastructure that is different than the typical 
systems that are presently in use. Furthermore, imple- 
mentation of the proposed IBIP requirements would 
result in the PSD master key being used for multiple 
purposes, i.e. for the generation of verification tokens 
and for the signature of the recharging request. Such 
multiple uses of cryptographic keys are discouraged in 
cryptographic systems because of the potential com- 
promise to the security of the system. 

It has been found that the present invention enables 
the use of existing infrastructure of a recharging system 
and also avoids multiple use of the PSD master key. 
Furthermore, the present invention increases the secu- 
rity in automatic remote resetting transactions. The 
present invention meets the USPS objectives set forth 
in the IBIP Specifications without the need for a more 
complicated infrastructure or for the multiple use of the 
PSD master key. The present invention does this by 
adding a cryptographic layer to an existing proven infra- 
structure, such as Postage By Phone. 

The Postal Security Device (PSD) will have a secret 
key (Triple DES, RC2, RC4 etc.) installed during the 
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manufacturing initialization phase. This key will be used 
to provide the additional cryptographic layer during 
Postage By Phone transactions. 

The present invention provides a system and 
method for refilling a postage metering system that 
includes a host coupled to a postal security device 
(PSD). A user enters a first request for postage refill 
which is transmitted to a meter server. The meter server 
transmits a request for a PSD audit to the postage 
metering system. PSD audit data is signed with a first 
secret key stored in the PSD to produce an audit mes- 
sage that includes a first signature and the PSD audit 
data. The audit message is transmitted to the meter 
server which transmits the first signature to a key man- 
agement system which then verifies the first signature 
using a second secret key stored in the key manage- 
ment system. The PSD audit data is verified at the 
meter server which then constructs a second request 
for meter refill and transmits it to a meter recharging 
data center. The meter recharging data center gener- 
ates a refill combination and transmits it to the meter 
server. The refill combination is transmitted from the 
meter server to the key management system for signa- 
ture using the second secret key to produce a refill mes- 
sage that is transmitted to the meter server. The refill 
message includes a second signature and the refill 
combination. The refill message is transmitted to the 
PSD which verifies the signature and the refill combina- 
tion using the first secret key and credits the PSD for the 
amount. 

The above and other objects and advantages of the 
present invention will be apparent upon consideration of 
the following detailed description, taken in conjunction 
with accompanying drawings, in which like reference 
characters refer to like parts throughout, and in which: 

Fig. 1 is a schematic block diagram of a prior art 
system for a remote meter recharging of a postage 
meter; 

Fig. 2 is a flow chart of the remote recharging proc- 
ess of the prior art system of Fig. 1 ; 
Fig. 3 is a schematic block diagram of a remote 
meter recharging system in accordance with an 
embodiment of the present invention; and 
Fig. 4 is a flow chart of the remote recharging proc- 
ess of the remote meter recharging system of Fig. 3 
in accordance with an embodiment of the present 
invention. 

In describing embodiments of the present inven- 
tion, reference is made to the drawings, wherein there is 
seen in Fig. 1 a schematic block diagram of a prior art 
system for a remote meter recharging system (also 
known as RMRS). The system includes a conventional 
electronic postage meter 10, including a microcom- 
puter, keyboard, display and memory, which is con- 
nected through a modem to a remote data processing 
center 20. The center 20 provides codes to recharge the 



meter 10. In an alternate configuration (not shown), as 
described in U.S. Patent No. 5,224,046, the meter is 
coupled to a conventional personal computer system 
which is connected through a modem to the remote 

s data processing center. A Key Management System 30 
generates, manages and distributes cryptographic 
keys. When a new meter 10 is put in service the Key 
Management System 30, through a key distribution sys- 
tem, gives the necessary keys to the meter 10. 

10 Referring now to Fig. 2, there is shown a typical 
process to recharge postage meters for the prior art 
system of Fig. 1. At step 100, a user initiates a meter 
recharge request for a specific amount by entering 
through the keyboard certain information, including the 

is specific amount, and customer account number. At step 
110, the meter constructs a request for meter refill 
including an access code. At step 120, the meter then 
forwards the request to the remote data processing 
center. At step 130, the remote data center verifies the 

20 access code, if not correct, at step 140, an error is 
flagged. If correct, the remote data center processes the 
request and generates a refill combination that is unique 
for the requesting meter, and sends the refill combina- 
tion to the meter. At step 160, the meter verifies that the 

25 refill combination is correct. If correct, at step 170, the 
descending register of the meter is incremented in the 
amount of the requested postage. If not correct an error 
is flagged. 

In accordance with embodiments of the present 

30 invention, a module is added to a typical remote meter 
recharging system, such as the Pitney Bowes Postage 
By Phone system. The module interfaces with the Key 
Management System and the postage meter. In the pre- 
ferred embodiment of the present invention, the added 

35 module is a meter server. In an alternate embodiment, a 
software module, which is added to the existing remote 
meter recharging computer system in lieu of the sepa- 
rate Meter Server, performs the same functions as the 
Meter Server but in the remote meter recharging com- 

40 puter system. 

Referring now to Fig. 3, a schematic block diagram 
of a postage evidencing system which includes a 
remote meter recharging system in accordance with an 
embodiment of the present invention is shown. The 

45 postage evidencing part of the system, generally desig- 
nated 100, comprises a postal security device (PSD) 
1 12 coupled to a host system 1 14, which may be a con- 
ventional computer system or a postage meter. The 
PSD 112 is a secure processor-based accounting 

so device that dispenses and accounts for postal value 
stored therein. The host 114 is conventionally con- 
nected to a remote Meter Server 120 which establishes 
on-line connections to several other computer systems, 
such as a Key Management System 130 and a Remote 

55 Meter Recharging System 140. The Key Management 
System 130 generates, manages and distributes cryp- 
tographic keys and handles obtaining meter certificates. 
When a new PSD 1 12 is put in service the Key Manage- 
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ment System 130, through a key distribution system, 
gives the necessary keys to the Meter Server 120 so it 
can process meter refills and audits. 

During manufacturing initialisation of a PSD 1 12 the 
Key Management System 130 provides a secret key to s 
the PSD 112. The secret key may be unique to the PSD, 
or, preferably, is a key from a "1000 Key System." as 
described in European Patent Application Serial No. 
971 19056.6, filed October 31, 1997, and European Pat- 
ent Publication No. 0647924, filed October 7, 1 994, both 10 
assigned to the assignee of the instant application. The 
secret key which is stored in an encrypted format in the 
KMS database, is loaded from the secure KMS system 
in a manner similar to that described in European Pat- 
ent Publication No. 0735722, filed April 1, 1996 and 75 
assigned to the assignee of the instant application. 

When the PSD performs a remote meter recharging 
transaction it signs the data portion of its recharge 
request message using the secret key. The Key Man- 
agement System 1 30 is preferably located at the same 20 
location as the Meter Server 120 and is directly con- 
nected to the Meter Server computer system. The Meter 
Server 120 may be located at the Remote Meter 
Recharging Data Center, also known as the Vendor 
Data Center. 25 

Referring now to Fig. 4, the remote recharging 
process in accordance with embodiments of the present 
invention is described. At step 200, a user requests a 
postage refill for a specified dollar amount D. The host, 
at step 205, connects with the Meter Server which then 30 
requests, at step 210, a PSD audit. At step 215, the 
PSD signs audit data with its secret key K 1 to produce 
an audit message M A . Audit data minimally includes 
PSD ID, control sum and ascending or descending reg- 
ister, but may also include: number of previous refills, 35 
piece count or other PSD related data. It is noted that a 
typical remote meter recharging system, such as the 
Pitney Bowes Postage By Phone system, sends just a 
code representing the audit data. 

At step 220 the host sends the signed audit mes- 40 
sage M A and the refill request to the Meter Server. The 
Meter Server, at step 225, sends the signed audit data 
to the Key Management System, which, at step 230, 
retrieves the appropriate secret key K 1 from its data- 
base and verifies the signature of audit message M A 45 
using the secret key K v If the signature is correct, at 
step 235, the Key Management System, at step 240, 
confirms the verification to the Meter Server. If the sig- 
nature is not correct, then an error signal is sent from 
the Key Management System to the Meter Server which so 
in turn sends the error signal to the PSD. If the signature 
has been verified, then, at step 250, the Meter Server 
checks the audit data. If the data is not complete or is 
not consistent with prior audits or verifications for the 
meter, an error is flagged. If the audit data is acceptable, ss 
the Meter Server, at step 260, constructs a request for 
meter refill and sends it to the Remote Meter Recharg- 
ing Center. 



At step 265, the Remote Meter Recharging Center 
processes the request and generates a refill combina- 
tion Mo and sends it to the Meter Server. At step 270, 
the Meter Server sends the refill combination Mc to the 
Key Management System for signature. The Key Man- 
agement System, at step 275, signs the refill combina- 
tion M c with the secret key K t to produce a refill 
message M R . At step 280, the Key Management Sys- 
tem sends the signed refill message M R to the Meter 
Server, which, at step 285, sends the signed refill mes- 
sage M R to the PSD. At step 290, the PSD verifies the 
signature of refill message M R using the secret key K-). 
If the signature is correct at step 295, the PSD then 
determines, at step 300, if the refill combination M c is 
correct If the refill combination M c is correct then, at 
step 305, the PSD is credited for the requested amount 
D. If either the signature or the refill combination M c is 
not correct, an appropriate error is flagged. 

It is noted that request and combination codes are 
calculated as described in U.S. Patents Nos. 4,097.923. 
5,224,046 and 5,233,531, which are incorporated 
herein for the purpose of describing such calculations. It 
is further noted that in the preferred embodiment of the 
present invention, the process has been described with 
the messages being signed, ft will be understood by 
those skilled in the art that the process will work as well 
with the messages being encrypted and decrypted 
rather than being signed. It is also noted that although 
the preferred embodiment of the present invention is 
described using secret key cryptography, public key 
cryptography could be used as well. 

Finally, it has been found that physically separating 
where the refill combination is generated and where it is 
signed adds to the security of the system. By separating 
the processes required to generate a valid refill mes- 
sage, the system is protected from a single point com- 
promise. 

While the present invention has been disclosed and 
described with reference to a single embodiment 
thereof, it will be apparent, as noted above, that varia- 
tions and modifications may be made therein. It is, thus, 
intended in the following claims to cover each variation 
and modification that falls within the true spirit and 
scope of the present invention. 

Claims 

1. A method for refilling a postage metering system 
(100) comprising a host (114) coupled to a postal 
security device (PSD) (112), the method compris- 
ing the steps of: 

entering through the host (114) a first request 
for postage refill including an amount the post- 
age metering system (100) is to be refilled; 
transmitting said request for postage refill to a 
meter server (120); 

signing PSD audit data with a first key stored in 
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the PSD (112) to produce an audit message, 

said audit message including a first signature 

and said PSD audit data; 

transmitting said audit message to said meter 

server (120); s 

verifying said first signature using a second 

key; 

verifying said PSD audit data at said meter 
server (120); 

transmitting a second request for meter refill io 
from said meter server (120) to a meter 
recharging data center (140); 
generating a refill combination at said meter 
recharging data center (140) in response to 
said second request for meter refill; 15 
transmitting said refill combination to said 
meter server (120); 

signing said refill combination using a third key 
to produce a refill message, said refill message 
including a second signature and said refill 20 
combination; 

transmitting said refill message to said PSD 
(112); 

verifying said signature and said refill combina- 
tion using a fourth key; and 25 
crediting said PSD (1 12) for said amount when 
said second signature and said refill combina- 
tion are verified. 

2. The method of Claim 1 wherein the step of transmit- so 
ting a request for a PSD audit from said meter 
server (120) comprises the steps of: 

transmitting said request for a PSD audit to 
said host (114); and 35 
transmitting said request for a PSD audit from 
said host (1 14) to said PSD (1 12). 

3. The method of Claim 1 or 2 wherein the step of 
transmitting said refill message to said PSD com- 40 
prises the steps of: 

transmitting said refill message to said host 
(114); and 

transmitting refill message from said host to 45 
said PSD (112). 

4. The method of Claim 1 , 2 or 3 comprising the fur- 
ther step of: generating an error signal when said 
first signature is not verified. so 

5. The method of any one of the preceding claims 
comprising the further step of: 

generating an error signal when said PSD audit ss 
data is not verified by said meter server (1 20). 

6. The method of any one of the preceding claims 



comprising the further step of: 

generating an error signal when at least one of 
said signature and said refill combination are 
not verified by said PSD (1 12). 

7. The method of any one of the preceding claims 
wherein said first and second keys are identical. 

8. The method of any one of the preceding claims 
wherein said third and fourth keys are identical. 

9. The method of any one of Claims 1 to 6 wherein 
said first and second keys are a public key pair. 

1 0. The method of any one of Claims 1 to 6 wherein 
said third and fourth keys are a public key pair. 

11. A system for refilling a postage metering system 
(100) comprising a host (114) coupled to a postal 
security device (PSD) (112), the refilling system 
comprising: 

a meter server (120) operatively coupled to the 
postage metering system (100) for receiving a 
meter refill request message therefrom and for 
transmitting a refill message thereto; 
a meter refilling data center (140) operatively 
coupled to the meter server (120), said meter 
refilling data center (140) including means for 
generating a refill combination in response to a 
request for meter refill received from said meter 
server (120); and 

a key management system (130) operatively 
coupled to said meter server (120), said key 
management system (130) having stored 
therein a first key corresponding to a second 
key stored in the PSD, wherein said key man- 
agement system is operable to verify a first sig- 
nature in said refill request message received 
by said meter server from the postage metering 
system, and wherein said key management 
system (130) is operable to sign said refill com- 
bination to produce said refill message. 

12. A method for refilling a postage metering system 
(100) comprising a host (114) coupled to a postal 
security device (PSD) (112), the method compris- 
ing the steps of: 

entering through the host (114) a first request 
for postage refill including an amount the post- 
age metering system is to be refilled; 
transmitting said request for postage refill to a 
meter server (120); 

receiving said request for postage refill at said 
meter server (120); 

transmitting a request for a PSD audit from said 
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meter server (120) to the postage metering 
system (100); 

signing PSD audit data with a first key stored in 
the PSD (112) to produce an audit message in 
response to said request for a PSD audit, said s 
audit message including a first signature and 
said PSD audit data; 

transmitting said audit message to said meter 
server (120); 

transmitting said first signature to a key man- 10 
agement system (130); 

verifying said first signature at the key manage- 
ment system (130) using a second key stored 
in the key management system; 
verifying said PSD audit data at said meter 15 
server (120); 

constructing a second request for meter refill at 
said meter server (120); 
transmitting said second request for meter refill 
to a meter recharging data center (1 40); 20 
generating a refill combination at said meter 
recharging data center (140) in response to 
said second request for meter refill; 
transmitting said refill combination to said 
meter server (120); 25 
transmitting said refill combination from said 
meter server (120) to said key management 
system (130); 

signing said refill combination using a third key 
to produce a refill message at said key man- 30 
agement system (130) and transmitting said 
refill message to said meter server (120), said 
refill message including a second signature 
and said refill combination; 
transmitting said refill message to said PSD 35 
(112); 

verifying said signature and said refill combina- 
tion using a fourth key; and 
crediting said PSD (112) for said amount when 
said second signature and said refill combina- 40 
tion are verified. 
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